SlideShare une entreprise Scribd logo

Open source security

Télécharger en tant que PPTX, PDF
L
lrigknat
Technologie
1  sur  24
Open Source Security How to get lots of security for a low, low price Rachel Engel
• Open Source Projects: Projects with frequent human resource constraints • How to get good security with few resources through solid planning • Use SSL • SQL Injection • XSS • Secure Password Storage • CSRF Agenda
• Open source projects are done by volunteers • Is often really hard to get enough people, and to get those people to work on specific tasks (bugs, less technically in-depth features, build cleanup, qc, documentation, etc) • “Hey! Could you spend saturday going back and looking through 100k lines of code looking for injection bugs?” • If you plan well, though, your project can be protected against many attack classes from the start. Human Resource Constraints
• Security bugs are often expensive to fix because people fix them well after the application is already developed. • It’s many many times cheaper and easier to do it from the start. • Four specific classes of web security bug can be cheaply defended against by planning well from the start. PlanningWell SavesTime
• If I could offer you only one tip for the future, SSL would be it.The long-term benefits of SSL have been proved by scientists, whereas the rest of my advice has no basis more reliable than my own meandering experience. I will dispense this advice now. • Seriously. Front to back, SSL only. If people enter the website via HTTP, redirect them to the HTTPS version of the site. • Globalsign offering free certificates for open source projects! Use SSL (apologies to baz luhrman)
SQL Injection • Big flashy vulnerability • Primary vulnerability used by lulzsec hackers • On a technical level, SQL Injection is a completely solvable problem if you plan well.
• Example ofVulnerable Code: • $string = “select * from table where field = ‘” + $user_input + “’;”; execute_statement($string); • Issue: If the user’s input contains valid SQL code, the user can execute SQL queries of their own choosing against the database • This is how headlines like “50 BILLION PASSWORDS STOLEN FROM CONGLOMCO” start. SQL Injection
• The issue is that the user input is used directly in the construction of the SQL query. If we separate the data from the query, the statement is no longer vulnerable. Enter parameterized queries. • $query = “select * from table where field = ?”; execute_parameterized_query($query, $user_input); SQL Injection
• $user_input is now treated as data separate from the query. SQL injection vulnerability: fixed • Important note: it’s still possible to build parameterized queries using user data. Important that people know why they’re using parameterized queries. SQL Injection
SQL Injection • Normally these vulnerabilities are found by attackers after an application has already been built. • If you write your application from the start to use parameterized queries, your application will be secure against SQL injection attacks from the start, for no additional time investment.
Cross Site Scripting (XSS) • It’s best to think of XSS as HTML/Javascript Injection • It happens when data received from users ends up being used to construct HTML or Javascript directly (sound familiar?) • Used by attackers to impersonate users on the website.
Cross Site Scripting (XSS) • $username = webservice_input(); $html = “<html> Hello, “ + $name + “<html>”; • The user can submit HTML instead of their name, causing the web page to do whatever they want. • Think of this in terms of a web forum. If the web forum permits cross site scripting, everyone reading the comments section ends up being served malware from shady websites.
Correct Mitigations that are cheap • HTMLCharacter Entity Encoding: long name, simple concept. • HTML will render &gt as >. Write a function that applies HTML character entity encoding to user input whenever it will be reflected into a web page. • Other important characters to encode: “ > < & ‘ : • SessionCookies: apply HTTPOnly and Secure flags to your session cookies • HTTPOnly ensures that cookies aren’t used by script, and secure ensures that cookies only go over SSL.
Correct mitigations (expensive) • Admittedly this mitigation for XSS is expensive, but it’s important. • InputValidation: I’ve never seen > or & in anybody’s name (apologies to anyone named Kathe>in& • For every bit of user input, make sure that it has the expected format/character set. • Note: this applies to Javascript as well. If user data gets injected into Javascript, make sure that the input doesn’t have ‘ ; or / • This mitigation is less spendy if you’re aware of it.
Password Storage • Never try to roll your own password storage. It’s *really* hard. • First wrong answer: storing passwords in plaintext. If the database gets lost, attackers have the users passwords trivially. • Second wrong answer: Just apply a hash. Hackers have multi-terrabyte tables mapping common passwords to their SHA-1 and MD-5 hashes. You can download them from the web.
Password Storage • Take three: Include a 128 bit random number (salt) into every password hash $pw_hash = sha1($random + $password) • This is better. It still doesn’t take that long for attackers to build a rainbow table for a single salt, though. • Take four: Per-password salt. This is getting very close. Only downside now is it still doesn’t take that long to run MD-5 or SHA-1 a few million times to hash common passwords.
Password Storage • Doing it right: Use a per-password salt, and make the hashing process really slow. • The attackers need the hashing to be quick in order to attempt enough passwords for successful brute forcing. • Bcrypt: a hash algorithm designed to be tunably slow. You can say how many times you want it to run the algorithm when hashing with it. • Implementations for Java, Python, C, C#, Ruby, Perl, PHP
Password Storage • If the hashing takes a few hundred milliseconds, users will scarcely notice the slight increase in time, as the hash happens only once. • Attackers are trying to hash a million passwords for every salt. A per-hash cost of a few hundred milliseconds stops brute forcing attacks pretty effectively.
Cross Site Request Forgery • Also known as hostile linking. • The user is logged into bank.com • The user visits http://super-sketchy-site.com/ • The html at super-sketchy-site.com includes the image tag below <img src=http://bank.com/transfer?amount=100000000&desti nation_account=10123453462”> • One billion dollars is transferred to the attacker’s account.
Cross Site Request Forgery • Really easy to defend against if you plan from the start. • We’ll tie the page that serves the user the money transfer form and the webservice that receives the transfer request together. • $csrf_nonce = sha-2($hostname + $path + random()); https://bank.com/transfer?amount=100&account=destin ation_account&csrf=$csrf_nonce • The webservice will know the csrf_nonce, as will the page the user is using, but the attacker doesn’t.
Cross Site Request Forgery • Why planning really helps here: • The method above can really be written in an hour or so. If you do that at the start, and include it in every form request (GET and PUT) on your website, you’ll be safely protected against CSRF. • If you wait until the website is already built, it ends up being very expensive. You have to usually rewrite major portions of the web application to completely defend against it.
• Use SSL Front to Back, Get Free Cert • SQL Injection: Use Parameterized queries • Cross Site Scripting: Build an output encoding function, use it everywhere, HTTPOnly flag, Secure flag • Password storage: Use BCRYPT or PBKDF2 and a per- password salt • CSRF: send sha2($hostname + $path + $random_number) in every request TL;DR / Cheat Sheet
• Thanks to write/speak/code, and everyone here at the conference. • Rachel Engel • Principal Security Engineer at iSEC Partners • 14 years in the computer industry (eek) • rachel at isecpartners.com • Contact tritter at isecpartners.com if you’re in the nyc area and interested in security talks. ThankYou
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

Recommandé

Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 

Recommandé

Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Open Source for Cyber Security
Open Source for Cyber SecurityOpen Source for Cyber Security
Open Source for Cyber SecurityPrabath Siriwardena
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 

Contenu connexe

Tendances

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 

Tendances (20)

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 

En vedette

(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityDiogo Mónica
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software opensourceacademy
 
Open Source Software Presentation
Open Source Software PresentationOpen Source Software Presentation
Open Source Software PresentationHenry Briggs
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONRitwick Halder
 

En vedette (14)

Open Source for Cyber Security
Open Source for Cyber SecurityOpen Source for Cyber Security
Open Source for Cyber Security
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
 
RFID security ppt
RFID security pptRFID security ppt
RFID security ppt
 
Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software
 
Open Source Software Presentation
Open Source Software PresentationOpen Source Software Presentation
Open Source Software Presentation
 
Open source technology
Open source technologyOpen source technology
Open source technology
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATION
 
Open Source Technology
Open Source TechnologyOpen Source Technology
Open Source Technology
 

Similaire à Open source security

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPressTaylor Lovett
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 

Similaire à Open source security (20)

null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Confidence web
Confidence webConfidence web
Confidence web
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Best Practices for WordPress
Best Practices for WordPressBest Practices for WordPress
Best Practices for WordPress
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Open source security

  • 1. Open Source Security How to get lots of security for a low, low price Rachel Engel
  • 2. • Open Source Projects: Projects with frequent human resource constraints • How to get good security with few resources through solid planning • Use SSL • SQL Injection • XSS • Secure Password Storage • CSRF Agenda
  • 3. • Open source projects are done by volunteers • Is often really hard to get enough people, and to get those people to work on specific tasks (bugs, less technically in-depth features, build cleanup, qc, documentation, etc) • “Hey! Could you spend saturday going back and looking through 100k lines of code looking for injection bugs?” • If you plan well, though, your project can be protected against many attack classes from the start. Human Resource Constraints
  • 4. • Security bugs are often expensive to fix because people fix them well after the application is already developed. • It’s many many times cheaper and easier to do it from the start. • Four specific classes of web security bug can be cheaply defended against by planning well from the start. PlanningWell SavesTime
  • 5. • If I could offer you only one tip for the future, SSL would be it.The long-term benefits of SSL have been proved by scientists, whereas the rest of my advice has no basis more reliable than my own meandering experience. I will dispense this advice now. • Seriously. Front to back, SSL only. If people enter the website via HTTP, redirect them to the HTTPS version of the site. • Globalsign offering free certificates for open source projects! Use SSL (apologies to baz luhrman)
  • 6. SQL Injection • Big flashy vulnerability • Primary vulnerability used by lulzsec hackers • On a technical level, SQL Injection is a completely solvable problem if you plan well.
  • 7. • Example ofVulnerable Code: • $string = “select * from table where field = ‘” + $user_input + “’;”; execute_statement($string); • Issue: If the user’s input contains valid SQL code, the user can execute SQL queries of their own choosing against the database • This is how headlines like “50 BILLION PASSWORDS STOLEN FROM CONGLOMCO” start. SQL Injection
  • 8. • The issue is that the user input is used directly in the construction of the SQL query. If we separate the data from the query, the statement is no longer vulnerable. Enter parameterized queries. • $query = “select * from table where field = ?”; execute_parameterized_query($query, $user_input); SQL Injection
  • 9. • $user_input is now treated as data separate from the query. SQL injection vulnerability: fixed • Important note: it’s still possible to build parameterized queries using user data. Important that people know why they’re using parameterized queries. SQL Injection
  • 10. SQL Injection • Normally these vulnerabilities are found by attackers after an application has already been built. • If you write your application from the start to use parameterized queries, your application will be secure against SQL injection attacks from the start, for no additional time investment.
  • 11. Cross Site Scripting (XSS) • It’s best to think of XSS as HTML/Javascript Injection • It happens when data received from users ends up being used to construct HTML or Javascript directly (sound familiar?) • Used by attackers to impersonate users on the website.
  • 12. Cross Site Scripting (XSS) • $username = webservice_input(); $html = “<html> Hello, “ + $name + “<html>”; • The user can submit HTML instead of their name, causing the web page to do whatever they want. • Think of this in terms of a web forum. If the web forum permits cross site scripting, everyone reading the comments section ends up being served malware from shady websites.
  • 13. Correct Mitigations that are cheap • HTMLCharacter Entity Encoding: long name, simple concept. • HTML will render &gt as >. Write a function that applies HTML character entity encoding to user input whenever it will be reflected into a web page. • Other important characters to encode: “ > < & ‘ : • SessionCookies: apply HTTPOnly and Secure flags to your session cookies • HTTPOnly ensures that cookies aren’t used by script, and secure ensures that cookies only go over SSL.
  • 14. Correct mitigations (expensive) • Admittedly this mitigation for XSS is expensive, but it’s important. • InputValidation: I’ve never seen > or & in anybody’s name (apologies to anyone named Kathe>in& • For every bit of user input, make sure that it has the expected format/character set. • Note: this applies to Javascript as well. If user data gets injected into Javascript, make sure that the input doesn’t have ‘ ; or / • This mitigation is less spendy if you’re aware of it.
  • 15. Password Storage • Never try to roll your own password storage. It’s *really* hard. • First wrong answer: storing passwords in plaintext. If the database gets lost, attackers have the users passwords trivially. • Second wrong answer: Just apply a hash. Hackers have multi-terrabyte tables mapping common passwords to their SHA-1 and MD-5 hashes. You can download them from the web.
  • 16. Password Storage • Take three: Include a 128 bit random number (salt) into every password hash $pw_hash = sha1($random + $password) • This is better. It still doesn’t take that long for attackers to build a rainbow table for a single salt, though. • Take four: Per-password salt. This is getting very close. Only downside now is it still doesn’t take that long to run MD-5 or SHA-1 a few million times to hash common passwords.
  • 17. Password Storage • Doing it right: Use a per-password salt, and make the hashing process really slow. • The attackers need the hashing to be quick in order to attempt enough passwords for successful brute forcing. • Bcrypt: a hash algorithm designed to be tunably slow. You can say how many times you want it to run the algorithm when hashing with it. • Implementations for Java, Python, C, C#, Ruby, Perl, PHP
  • 18. Password Storage • If the hashing takes a few hundred milliseconds, users will scarcely notice the slight increase in time, as the hash happens only once. • Attackers are trying to hash a million passwords for every salt. A per-hash cost of a few hundred milliseconds stops brute forcing attacks pretty effectively.
  • 19. Cross Site Request Forgery • Also known as hostile linking. • The user is logged into bank.com • The user visits http://super-sketchy-site.com/ • The html at super-sketchy-site.com includes the image tag below <img src=http://bank.com/transfer?amount=100000000&desti nation_account=10123453462”> • One billion dollars is transferred to the attacker’s account.
  • 20. Cross Site Request Forgery • Really easy to defend against if you plan from the start. • We’ll tie the page that serves the user the money transfer form and the webservice that receives the transfer request together. • $csrf_nonce = sha-2($hostname + $path + random()); https://bank.com/transfer?amount=100&account=destin ation_account&csrf=$csrf_nonce • The webservice will know the csrf_nonce, as will the page the user is using, but the attacker doesn’t.
  • 21. Cross Site Request Forgery • Why planning really helps here: • The method above can really be written in an hour or so. If you do that at the start, and include it in every form request (GET and PUT) on your website, you’ll be safely protected against CSRF. • If you wait until the website is already built, it ends up being very expensive. You have to usually rewrite major portions of the web application to completely defend against it.
  • 22. • Use SSL Front to Back, Get Free Cert • SQL Injection: Use Parameterized queries • Cross Site Scripting: Build an output encoding function, use it everywhere, HTTPOnly flag, Secure flag • Password storage: Use BCRYPT or PBKDF2 and a per- password salt • CSRF: send sha2($hostname + $path + $random_number) in every request TL;DR / Cheat Sheet
  • 23. • Thanks to write/speak/code, and everyone here at the conference. • Rachel Engel • Principal Security Engineer at iSEC Partners • 14 years in the computer industry (eek) • rachel at isecpartners.com • Contact tritter at isecpartners.com if you’re in the nyc area and interested in security talks. ThankYou
  • 24. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland